Maturity models are widespread used in several domains ranging from business processes to complete management frameworks like CMMI, ITIL or Cobit. In the paper on hand we develop a detailed maturity model for the management of segregation of duties in ERP systems. Our model includes several aspects starting with simple access rights management of individual systems and leading to comprehensive organizational aspects of multiple systems environments. Applying this model, organizations are enabled to improve compliance regarding access rights using a step by step approach. The approach described can also be used to assess existing segregation of duties processes of an organization in order to reveal further improvement opportunities.


Maturity Model Segregation of Duties SoD Authorization Process Authorization/Access Controls Rule Set 


  1. Carbonel, J.: Case Study: Assessing IT Security Governance Through a Maturity Model and the Definition of a Governance Profile. Information Systems Control Journal 2, 29–32 (2008)Google Scholar
  2. Chandra, A., Beard, M.: Towards a Framework for Achieving Effective Segregation of Duties (2007), (retrieved August 25, 2009)
  3. COSO Committee of Sponsoring Organizations of the Treadway Commission, Enterprise Risk Management - Integrated Framework - Executive Summmary 2004 (2004) Google Scholar
  4. Debreceny, R.S.: Re-Engineering IT Internal Controls: Applying Capability Maturity Models to the Evaluation of IT Controls. In: Proceedings of the 39th Annual Hawaii International Conference on System Sciences, HICSS 2006, vol. 8, p. 196c (2006)Google Scholar
  5. Fraser, P., Moultrie, J., Gregory, M.: The use of maturity models/grids as a tool in assessing product development capability. In: Proceedings of Managing Technology for the New Economy, St John’s College, Cambridge, UK, August 18-20, pp. 244–249. IEEE Service Center, Piscataway (2002)Google Scholar
  6. Gehrke, N., Wolf, P.: Continuous Compliance Monitoring in ERP-Systems – A Method for Identifying Segregation of Duties Conflicts. Wirtschaftsinformatik 2009, 347–356 (2009)Google Scholar
  7. Hendrawirawan, D., Tanriverdi, H., Zetterlund, C., Hakam, H., Kim, H.H., Paik, H., Yoon, Y.: ERP Security and Segregation of Duties Audit: A Framework for Building an Automated Solution. Information Systems Control Journal 2, 46–50 (2007)Google Scholar
  8. OMG (2008), Business Process Maturity Model (BPMM), Object Management Group (OMG), Abgerufen am (08.02.2011)
  9. Herbsleb, J., Zubrow, D., Goldenson, D., Hayes, W., Paulk, M.: Software Quality and the Capability Maturity Model. Communications of the ACM 6(40), 30–40 (1997)CrossRefGoogle Scholar
  10. International Federation of Accountants (IFAC). Handbook of international quality control, auditing, review, other assurance and related services pronouncements, 2010 edition, New York (2008) ISBN: 978-1-60815-052-6 Google Scholar
  11. Krell, E.: ERP System Controls. Business Finance 4(13), 18–22 (2007)Google Scholar
  12. Little, A., Best, P.J.: A framework for separation of duties in an SAP R/3 environment. Managerial Auditing Journal 5(18), 419–430 (2003)CrossRefGoogle Scholar
  13. OMG Object Management Group. Business Process Maturity Model (BPMM) (2008), (Retrieved September 9, 2009)
  14. Staud, J.L.: Geschäftsprozessanalyse. Ereignisgesteuerte Prozessketten und objektorientierte Geschäftsprozessmodellierung für Betriebswirtschaftliche Standardsoftware. Dritte Auflage. Springer (Springer-11775 /Dig. Serial), Heidelberg (2006)Google Scholar
  15. Taiariol, R.: Segregated Duties in Fashion. Internal Auditor 1(66), 23–25 (2009)Google Scholar

Copyright information

© IFIP International Federation for Information Processing 2011

Authors and Affiliations

  • Jan Omland
  • Nick Gehrke
  • Niels Müller-Wickop

There are no affiliations available

Personalised recommendations